securenow 7.5.1 → 7.6.0

package/nextjs.js

@@ -32,24 +32,15 @@
  *      registerSecureNow();
  *    }
  * 
- * 3. Set environment variables:
- *    SECURENOW_APPID=my-nextjs-app
- *    SECURENOW_INSTANCE=http://your-otlp-backend:4318
+ * 3. Run `npx securenow login` and `npx securenow init`.
+ *    The SDK reads app identity, collector, firewall, capture, and
+ *    deploymentEnvironment from .securenow/credentials.json.
  */
 
 const { randomUUID } = require('crypto');
+const appConfig = require('./app-config');
 
-const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
-
-const parseHeaders = str => {
-  const out = {}; if (!str) return out;
-  for (const raw of String(str).split(',')) {
-    const s = raw.trim(); if (!s) continue;
-    const i = s.indexOf('='); if (i === -1) continue;
-    out[s.slice(0, i).trim().toLowerCase()] = s.slice(i + 1).trim();
-  }
-  return out;
-};
+const env = appConfig.env;
 
 let isRegistered = false;
 
@@ -120,8 +111,9 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
 /**
  * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
  * @param {Object} options - Optional configuration
- * @param {string} options.serviceName - Service name (defaults to SECURENOW_APPID or OTEL_SERVICE_NAME)
- * @param {string} options.endpoint - Traces endpoint (defaults to SECURENOW_INSTANCE)
+ * @param {string} options.serviceName - Service name (defaults to .securenow/credentials.json app.key/app.name)
+ * @param {string} options.endpoint - Traces endpoint (defaults to .securenow/credentials.json app.instance)
+ * @param {string} options.environment - deployment.environment override (defaults to config.runtime.deploymentEnvironment)
  * @param {boolean} options.noUuid - Don't append UUID to service name
  */
 function registerSecureNow(options = {}) {
@@ -144,8 +136,7 @@ function registerSecureNow(options = {}) {
     console.log('[securenow] Next.js integration loading (pid=%d)', process.pid);
 
     // -------- Configuration --------
-    // Resolution order: explicit options → env → .securenow/credentials.json → package.json#name
-    const appConfig = require('./app-config');
+    // Resolution order: explicit options -> .securenow/credentials.json -> legacy env fallback -> package.json#name
     const resolvedApp = appConfig.resolveAll();
 
     const rawBase = (options.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
@@ -154,6 +145,9 @@ function registerSecureNow(options = {}) {
     // and the dashboard does exact match). opts.noUuid or SECURENOW_NO_UUID
     // override.
     const noUuid = appConfig.resolveNoUuid({ noUuid: options.noUuid });
+    const deploymentEnvironment = appConfig.normalizeDeploymentEnvironment(
+      options.environment || resolvedApp.deploymentEnvironment || env('VERCEL_ENV')
+    );
 
     // service.name
     let serviceName;
@@ -162,29 +156,25 @@ function registerSecureNow(options = {}) {
     } else {
       serviceName = `nextjs-app-${randomUUID()}`;
       console.warn('[securenow] ⚠️  No app identity resolved. Using fallback: %s', serviceName);
-      console.warn('[securenow] 💡 Run `npx securenow login` or set SECURENOW_APPID in .env.local');
+      console.warn('[securenow] Run `npx securenow login` and `npx securenow init` to write .securenow/credentials.json');
     }
 
     // -------- Endpoint Configuration --------
-    const endpointBase = (options.endpoint || resolvedApp.instance).replace(/\/$/, '');
-
-    // If credentials file provided an app key, surface it via x-api-key for collector routing.
-    if (resolvedApp.appKey && !env('OTEL_EXPORTER_OTLP_HEADERS') && !env('SECURENOW_API_KEY')) {
-      process.env.SECURENOW_API_KEY = resolvedApp.appKey;
-      process.env.OTEL_EXPORTER_OTLP_HEADERS = `x-api-key=${resolvedApp.appKey}`;
-    }
-    
-    const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
-    const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
+    const resolvedEndpoints = appConfig.resolveEndpoints({ endpoint: options.endpoint || resolvedApp.instance });
+    const endpointBase = resolvedEndpoints.endpointBase;
+    const tracesUrl = resolvedEndpoints.tracesUrl;
+    const logsUrl = resolvedEndpoints.logsUrl;
+    const headers = resolvedEndpoints.headers;
 
     if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
     if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
     if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
 
-    console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
+    console.log('[securenow] Next.js App -> service.name=%s', serviceName);
+    console.log('[securenow] Environment: %s', deploymentEnvironment);
 
     // -------- Body Capture Configuration --------
-    // Opt-out default: set SECURENOW_CAPTURE_BODY=0 (or options.captureBody=false) to disable.
+    // Opt-out default: set config.capture.body=false (or options.captureBody=false) to disable.
     const captureBody = options.captureBody ?? !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
     const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
     const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
@@ -413,7 +403,7 @@ function registerSecureNow(options = {}) {
       registerOTel({
         serviceName: serviceName,
         attributes: {
-          'deployment.environment': env('NODE_ENV') || env('VERCEL_ENV') || 'development',
+          'deployment.environment': deploymentEnvironment,
           'service.version': process.env.npm_package_version || process.env.VERCEL_GIT_COMMIT_SHA || undefined,
           'vercel.region': process.env.VERCEL_REGION || undefined,
         },
@@ -444,7 +434,7 @@ function registerSecureNow(options = {}) {
       
       const traceExporter = new OTLPTraceExporter({ 
         url: tracesUrl,
-        headers: parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'))
+            headers
       });
       
       const sdk = new NodeSDK({
@@ -453,7 +443,7 @@ function registerSecureNow(options = {}) {
         instrumentations: [httpInstrumentation],
         resource: new Resource({
           [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-          [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || env('VERCEL_ENV') || 'production',
+          [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
           [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || undefined,
         }),
       });
@@ -462,7 +452,7 @@ function registerSecureNow(options = {}) {
       console.log('[securenow] 🎯 Vanilla SDK initialized for self-hosted environment');
 
       // -------- Logging (self-hosted only) --------
-      // Opt-out default: set SECURENOW_LOGGING_ENABLED=0 to disable.
+      // Opt-out default: set config.logging.enabled=false to disable.
       const loggingEnabled = !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
       if (loggingEnabled) {
         try {
@@ -471,13 +461,13 @@ function registerSecureNow(options = {}) {
 
           const logExporter = new OTLPLogExporter({
             url: logsUrl,
-            headers: parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS')),
+            headers,
           });
 
           const loggerProvider = new LoggerProvider({
             resource: new Resource({
               [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-              [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || 'production',
+              [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
             }),
           });
           loggerProvider.addLogRecordProcessor(new BatchLogRecordProcessor(logExporter));
@@ -614,25 +604,28 @@ function registerSecureNow(options = {}) {
   }
 
   // Firewall — runs independently from OTel so it works even if tracing fails.
-  // Key comes from env OR .securenow/credentials.json (set via
-  // `npx securenow api-key set snk_live_...`), so you don't need a .env entry.
-  const appConfig = require('./app-config');
-  const firewallApiKey = appConfig.resolveApiKey();
-  const firewallAppKey = appConfig.resolveAppKey();
-  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+  // Key and environment come from .securenow/credentials.json (written by
+  // login/init or credentials runtime), so no .env entry is needed.
+  const firewallOptions = appConfig.resolveFirewallOptions();
+  if (firewallOptions.apiKey && firewallOptions.enabled) {
     try {
       require('./firewall').init({
-        apiKey: firewallApiKey,
-        appKey: firewallAppKey || null,
-        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
-        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
-        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
-        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
-        log: env('SECURENOW_FIREWALL_LOG') !== '0',
-        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
-        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
-        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+        apiKey: firewallOptions.apiKey,
+        appKey: firewallOptions.appKey,
+        environment: deploymentEnvironment || firewallOptions.environment,
+        apiUrl: firewallOptions.apiUrl,
+        versionCheckInterval: firewallOptions.versionCheckInterval,
+        syncInterval: firewallOptions.syncInterval,
+        failMode: firewallOptions.failMode,
+        statusCode: firewallOptions.statusCode,
+        log: firewallOptions.log,
+        tcp: firewallOptions.tcp,
+        iptables: firewallOptions.iptables,
+        cloud: firewallOptions.cloud,
+        cloudDryRun: firewallOptions.cloudDryRun,
+        cloudflare: firewallOptions.cloudflare,
+        aws: firewallOptions.aws,
+        gcp: firewallOptions.gcp,
       });
     } catch (e) {
       console.warn('[securenow] Firewall init failed:', e.message);
@@ -643,4 +636,3 @@ function registerSecureNow(options = {}) {
 module.exports = {
   registerSecureNow,
 };
-

package/nuxt-server-plugin.mjs

@@ -25,21 +25,7 @@ const appConfig = nodeRequire('./app-config');
 
 // ── Helpers ──
 
-const env = (k) =>
-  process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
-
-const parseHeaders = (str) => {
-  const out = {};
-  if (!str) return out;
-  for (const raw of String(str).split(',')) {
-    const s = raw.trim();
-    if (!s) continue;
-    const i = s.indexOf('=');
-    if (i === -1) continue;
-    out[s.slice(0, i).trim().toLowerCase()] = s.slice(i + 1).trim();
-  }
-  return out;
-};
+const env = appConfig.env;
 
 const DEFAULT_SENSITIVE_FIELDS = [
   'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
@@ -74,10 +60,10 @@ function getRuntimeOptions() {
 
 // ── Plugin ──
 
-export default defineNitroPlugin((nitroApp) => {
+export default defineNitroPlugin(async (nitroApp) => {
   const opts = getRuntimeOptions();
 
-  // Resolution order: opts → env → .securenow/credentials.json → package.json#name
+  // Resolution order: opts -> .securenow/credentials.json -> legacy env fallback -> package.json#name
   const resolvedApp = appConfig.resolveAll();
 
   // ── Naming ──
@@ -85,8 +71,11 @@ export default defineNitroPlugin((nitroApp) => {
   const baseName = rawBase || null;
   // Default: auto-disable per-worker suffix when logged in (appId is the
   // routing UUID and the dashboard does exact match). opts.noUuid or
-  // SECURENOW_NO_UUID override.
+  // config.runtime.noUuid or opts.noUuid override.
   const noUuid = appConfig.resolveNoUuid({ noUuid: opts.noUuid });
+  const deploymentEnvironment = appConfig.normalizeDeploymentEnvironment(
+    opts.environment || resolvedApp.deploymentEnvironment
+  );
 
   let serviceName;
   if (baseName) {
@@ -98,40 +87,31 @@ export default defineNitroPlugin((nitroApp) => {
       serviceName,
     );
     console.warn(
-      '[securenow] 💡 Run `npx securenow login` or set SECURENOW_APPID in .env',
+      '[securenow] Run `npx securenow login` or set app.key in .securenow/credentials.json',
     );
   }
 
   const serviceInstanceId = `${baseName || 'securenow'}-${uuidv4()}`;
 
   // ── Endpoints ──
-  const endpointBase = (opts.endpoint || resolvedApp.instance).replace(/\/$/, '');
-
-  // Surface credentials-file app key as x-api-key for collector routing.
-  if (resolvedApp.appKey && !env('OTEL_EXPORTER_OTLP_HEADERS') && !env('SECURENOW_API_KEY')) {
-    process.env.SECURENOW_API_KEY = resolvedApp.appKey;
-    process.env.OTEL_EXPORTER_OTLP_HEADERS = `x-api-key=${resolvedApp.appKey}`;
-  }
-
-  const tracesUrl =
-    env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
-  const logsUrl =
-    env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
-  const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
+  const resolvedEndpoints = appConfig.resolveEndpoints({ endpoint: opts.endpoint || resolvedApp.instance });
+  const endpointBase = resolvedEndpoints.endpointBase;
+  const tracesUrl = resolvedEndpoints.tracesUrl;
+  const logsUrl = resolvedEndpoints.logsUrl;
+  const headers = resolvedEndpoints.headers;
 
   // ── Resource ──
   const resource = new Resource({
     [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
     [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: serviceInstanceId,
-    [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]:
-      env('NODE_ENV') || 'production',
+    [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
     [SemanticResourceAttributes.SERVICE_VERSION]:
       process.env.npm_package_version || undefined,
     'framework': 'nuxt',
   });
 
   // ── Body capture config ──
-  // Opt-out default: set SECURENOW_CAPTURE_BODY=0 (or opts.captureBody=false) to disable.
+  // Opt-out default: set config.capture.body=false (or opts.captureBody=false) to disable.
   const captureBody =
     opts.captureBody ??
     !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
@@ -240,7 +220,7 @@ export default defineNitroPlugin((nitroApp) => {
   );
 
   // ── Logging ──
-  // Opt-out default: set SECURENOW_LOGGING_ENABLED=0 (or opts.logging=false) to disable.
+  // Opt-out default: set config.logging.enabled=false (or opts.logging=false) to disable.
   const loggingEnabled =
     opts.logging ??
     !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
@@ -304,7 +284,7 @@ export default defineNitroPlugin((nitroApp) => {
     }
   } else {
     console.log(
-      '[securenow] 📋 Logging: DISABLED (SECURENOW_LOGGING_ENABLED=0)',
+      '[securenow] Logging: DISABLED (config.logging.enabled=false)',
     );
   }
 
@@ -327,23 +307,27 @@ export default defineNitroPlugin((nitroApp) => {
   }
 
   // ── Firewall — runs independently from OTel ──
-  const firewallApiKey = env('SECURENOW_API_KEY');
-  const firewallAppKey = env('SECURENOW_APPID') || null;
-  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+  const firewallOptions = appConfig.resolveFirewallOptions();
+  if (firewallOptions.apiKey && firewallOptions.enabled) {
     try {
       const { init: fwInit } = await import('./firewall.js');
       fwInit({
-        apiKey: firewallApiKey,
-        appKey: firewallAppKey,
-        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
-        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
-        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
-        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
-        log: env('SECURENOW_FIREWALL_LOG') !== '0',
-        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
-        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
-        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+        apiKey: firewallOptions.apiKey,
+        appKey: firewallOptions.appKey,
+        environment: deploymentEnvironment || firewallOptions.environment,
+        apiUrl: firewallOptions.apiUrl,
+        versionCheckInterval: firewallOptions.versionCheckInterval,
+        syncInterval: firewallOptions.syncInterval,
+        failMode: firewallOptions.failMode,
+        statusCode: firewallOptions.statusCode,
+        log: firewallOptions.log,
+        tcp: firewallOptions.tcp,
+        iptables: firewallOptions.iptables,
+        cloud: firewallOptions.cloud,
+        cloudDryRun: firewallOptions.cloudDryRun,
+        cloudflare: firewallOptions.cloudflare,
+        aws: firewallOptions.aws,
+        gcp: firewallOptions.gcp,
       });
     } catch (e) {
       console.warn('[securenow] Firewall init failed:', e.message);

package/nuxt.d.ts

@@ -3,17 +3,23 @@
  */
 
 export interface SecureNowNuxtOptions {
-  /**
-   * Service name for OpenTelemetry traces.
-   * @default process.env.SECURENOW_APPID || process.env.OTEL_SERVICE_NAME
-   */
-  serviceName?: string;
-
-  /**
-   * OTLP endpoint base URL.
-   * @default process.env.SECURENOW_INSTANCE || 'https://freetrial.securenow.ai:4318'
-   */
-  endpoint?: string;
+  /**
+   * Service name for OpenTelemetry traces.
+   * @default .securenow/credentials.json app.key/app.name
+   */
+  serviceName?: string;
+
+  /**
+   * OTLP endpoint base URL.
+   * @default .securenow/credentials.json app.instance, or https://freetrial.securenow.ai:4318
+   */
+  endpoint?: string;
+
+  /**
+   * Deployment environment sent as OpenTelemetry deployment.environment.
+   * @default .securenow/credentials.json config.runtime.deploymentEnvironment
+   */
+  environment?: string;
 
   /**
    * Don't append UUID to service name (useful when running a single instance).
@@ -22,18 +28,18 @@ export interface SecureNowNuxtOptions {
   noUuid?: boolean;
 
   /**
-   * Capture request bodies (POST/PUT/PATCH) on traced spans.
-   * Sensitive fields are automatically redacted.
-   * @default false
-   */
-  captureBody?: boolean;
-
-  /**
-   * Enable console log forwarding as OTLP log records.
-   * @default false
-   */
-  logging?: boolean;
-}
+   * Capture request bodies (POST/PUT/PATCH) on traced spans.
+   * Sensitive fields are automatically redacted.
+   * @default true from .securenow/credentials.json secure defaults
+   */
+  captureBody?: boolean;
+
+  /**
+   * Enable console log forwarding as OTLP log records.
+   * @default true from .securenow/credentials.json secure defaults
+   */
+  logging?: boolean;
+}
 
 declare module 'nuxt/schema' {
   interface NuxtConfig {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.5.1",
+  "version": "7.6.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/postinstall.js

@@ -69,23 +69,17 @@ function hasInstrumentationFile() {
 
 // Create TypeScript instrumentation file
 function createTsInstrumentation(targetPath) {
-  const content = `import { registerSecureNow } from 'securenow/nextjs';
+  const content = `import { createRequire } from 'node:module';
 
-export function register() {
-  registerSecureNow();
-}
+const require = createRequire(import.meta.url);
 
-/**
- * Configuration via .env.local:
- * 
- * Required:
- *   SECURENOW_APPID=my-nextjs-app
- * 
- * Optional:
- *   SECURENOW_INSTANCE=http://your-otlp-backend:4318
- *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
- *   OTEL_LOG_LEVEL=info
- */
+export async function register() {
+  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+
+  const { registerSecureNow } = require('securenow/nextjs');
+  registerSecureNow({ captureBody: true });
+  require('securenow/nextjs-auto-capture');
+}
 `;
   
   fs.writeFileSync(targetPath, content, 'utf8');
@@ -93,26 +87,17 @@ export function register() {
 
 // Create JavaScript instrumentation file
 function createJsInstrumentation(targetPath) {
-  const content = `const { registerSecureNow } = require('securenow/nextjs');
+  const content = `import { createRequire } from 'node:module';
 
-export function register() {
-  registerSecureNow();
-}
+const require = createRequire(import.meta.url);
 
-/**
- * Configuration via .env.local:
- * 
- * Required:
- *   SECURENOW_APPID=my-nextjs-app
- * 
- * Optional:
- *   SECURENOW_INSTANCE=http://your-otlp-backend:4318
- *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
- *   OTEL_LOG_LEVEL=info
- *   
- * Optional: Disable request body capture (enabled by default)
- *   SECURENOW_CAPTURE_BODY=0
- */
+export async function register() {
+  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+
+  const { registerSecureNow } = require('securenow/nextjs');
+  registerSecureNow({ captureBody: true });
+  require('securenow/nextjs-auto-capture');
+}
 `;
   
   fs.writeFileSync(targetPath, content, 'utf8');
@@ -133,12 +118,8 @@ export const config = {
 /**
  * Bodies are captured with:
  * - Automatic redaction of passwords, tokens, cards, etc.
- * - Size limits (configurable via SECURENOW_MAX_BODY_SIZE)
+ * - Size limits from .securenow/credentials.json
  * - JSON, GraphQL, Form data support
- * 
- * Configure in .env.local:
- *   SECURENOW_MAX_BODY_SIZE=20480
- *   SECURENOW_SENSITIVE_FIELDS=email,phone
  */
 `;
   
@@ -160,38 +141,24 @@ export const config = {
 /**
  * Bodies are captured with:
  * - Automatic redaction of passwords, tokens, cards, etc.
- * - Size limits (configurable via SECURENOW_MAX_BODY_SIZE)
+ * - Size limits from .securenow/credentials.json
  * - JSON, GraphQL, Form data support
- * 
- * Configure in .env.local:
- *   SECURENOW_MAX_BODY_SIZE=20480
- *   SECURENOW_SENSITIVE_FIELDS=email,phone
  */
 `;
   
   fs.writeFileSync(targetPath, content, 'utf8');
 }
 
-// Create .env.local template
+// Create a credentials-file reminder for old callers that still import this helper.
 function createEnvTemplate(targetPath) {
-  const content = `# SecureNow Configuration
-# Required: Your application identifier
-SECURENOW_APPID=my-nextjs-app
-
-# Optional: Your OTLP-compatible backend / collector endpoint
-# Default: https://freetrial.securenow.ai:4318
-SECURENOW_INSTANCE=http://your-otlp-backend:4318
+  const content = `SecureNow no longer needs a .env file for local development.
 
-# Optional: API key or authentication headers
-# OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-api-key-here"
+Run:
+  npx securenow login
+  npx securenow init
 
-# Optional: Log level (debug|info|warn|error)
-# OTEL_LOG_LEVEL=info
-
-# Optional: Disable request body capture (enabled by default)
-# SECURENOW_CAPTURE_BODY=0
-# SECURENOW_MAX_BODY_SIZE=10240
-# SECURENOW_SENSITIVE_FIELDS=email,phone
+The CLI writes .securenow/credentials.json with the selected app, firewall key,
+secure defaults, and explanations for each setting.
 `;
   
   fs.writeFileSync(targetPath, content, 'utf8');
@@ -327,4 +294,3 @@ module.exports = { setup };
 
 
 
-

package/register.d.ts

@@ -6,27 +6,17 @@
  */
 
 /**
- * Environment Variables:
- * 
- * Required:
- * - SECURENOW_APPID=your-app-name - Logical service name
- * - SECURENOW_INSTANCE=http://host:4318 - OTLP endpoint
- * 
- * Optional:
- * - SECURENOW_NO_UUID=1 - Use same service.name across all workers
- * - SECURENOW_STRICT=1 - Exit if no appid/name provided in cluster
- * - SECURENOW_CAPTURE_BODY=1 - Enable request body capture
- * - SECURENOW_MAX_BODY_SIZE=10240 - Max body size in bytes (default: 10KB)
- * - SECURENOW_SENSITIVE_FIELDS=field1,field2 - Additional sensitive fields
- * - SECURENOW_DISABLE_INSTRUMENTATIONS=pkg1,pkg2 - Disable specific instrumentations
- * - OTEL_LOG_LEVEL=info|debug - Logging level
- * - SECURENOW_TEST_SPAN=1 - Create test span on startup
- * 
- * Alternative Environment Variables:
- * - OTEL_SERVICE_NAME - Alternative to SECURENOW_APPID
- * - OTEL_EXPORTER_OTLP_ENDPOINT - Alternative to SECURENOW_INSTANCE
- * - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT - Full traces URL
- * - OTEL_EXPORTER_OTLP_HEADERS - Headers for OTLP exporter (k=v,k2=v2)
+ * Configuration:
+ *
+ * Local development reads .securenow/credentials.json. Run
+ * `npx securenow login` to choose/create an app, then `npx securenow init`
+ * to ensure secure defaults and explanations are present.
+ *
+ * Production uses the same file shape. Run
+ * `npx securenow credentials runtime --env production`, then mount/copy the
+ * generated JSON to .securenow/credentials.json in the running app.
+ *
+ * Legacy env vars are fallback-only for existing installs.
  */
 
 // This module has side effects (initializes OpenTelemetry)
@@ -49,18 +39,14 @@ export {};
  * @example
  * ```javascript
  * // ecosystem.config.js
- * module.exports = {
- *   apps: [{
- *     name: 'my-app',
- *     script: './app.js',
- *     node_args: '-r securenow/register',
- *     env: {
- *       SECURENOW_APPID: 'my-app',
- *       SECURENOW_INSTANCE: 'http://your-otlp-backend:4318',
- *       SECURENOW_CAPTURE_BODY: '1',
- *     }
- *   }]
- * };
+ * module.exports = {
+ *   apps: [{
+ *     name: 'my-app',
+ *     script: './app.js',
+ *     node_args: '-r securenow/register',
+ *     // Local and production use .securenow/credentials.json.
+ *   }]
+ * };
  * ```
  * 
  * @example